Attachments

doc/3.2.1/Working With Finder/Understanding Objects

Contents

  1. Objects and Activity
    1. Users
    2. Sources
    3. Packages
    4. Applications
    5. Executables
    6. Binaries
    7. Ports
    8. Destinations
    9. Installations
    10. Executions
    11. Connections
  2. Editing object properties

1. Objects and Activity

In this section we will discuss the basic objects which are at the roots of all information provided by NEXThink. Understanding and manipulating these objects is very important to create investigations and obtain good results when using NEXThink V3. When we create or edit an investigation we find on the top of the page a list of 11 elements as shown in the picture.

  • understanding_objects.png

These elements are associated to a physical object on your network (e.g., source) or a concrete activity (e.g., connection). An overview of the different elements can be found in the following table:

Objects and Activity

Description

Users

A Windows user account

Sources

A Windows machine on which the NEXThink Collector is installed

Packages

A software package (program or update) that is installed on a source

Applications

An application is a set of executables grouped by a logic, normally the same product name (e.g. Microsoft Office)

Executables

A group of binaries with the same attributes such as name, product, company, etc (all files with name word.exe)

Binaries

A specific executable file (e.g. file c:/windows/word.exe with MD5 hash: 0x123456789ABCDEF)

Ports

Port number associated to a connection UDP or TCP

Destinations

The destination machine of a connection

Installations

An installation (or uninstallation) of a package

Executions

One or more instances of binary executions

Connections

One or a set of UDP or TCP connections

1.1. Users

NEXThink user is a Windows user. A User is identified by a security identifier or SID. On Windows environments, there are three types of users:

  • system users which have well-known SIDs, e.g., S-1-5-18.
  • local users whose SID is composed of the machine SID postfixed with a local unique id.
  • network users whose SID is composed of a Windows Domain SID postfixed with a domain unique id.

The field "Name" of a User will contains the following information:

  • "Local administrator", "NT Authority" or "Local system" for system users
  • the username of the User as defined in the Active Directory if the AD is configured in the Engine and the SID can be found
  • the local username otherwise; it will appear with the format "username@source_name"

Note: As part of privacy rules compliance, User’s collected AD information and names cannot be accessed by a NEXThink users unless explicit rights were granted to their NEXThink user account.

1.2. Sources

A NEXThink source is a Windows machine on which the NEXThink Collector is installed. In a Windows workstation network, each host can be uniquely identified by its security identifier or SID. Unfortunately, most often networks workstations are deployed by cloning a master installation, if not performed carefully, the security identifier is sometimes cloned as well.

This is why with NEXThink a machine is not only identify by its SID but also by its network interfaces MAC addresses. Again, the uniqueness of the MAC addresses is a key factor to be able to uniquely identify a machine, however identifying unique source from a not always unique MAC addresses scheme is a complex task based on the following considerations:

  • Physical and logical network interfaces are difficult to set apart on a Windows workstation. As an example, a logical network interface using a VPN connection, will get a new MAC address on each new connection.
  • Some virtual machines assigns random MAC address to their network interface and may change at boot time if a conflict is detected.
  • Mobile network interfaces e.g. WIFI or GSM interfaces can be moved from on machine to another one.
  • Even some network interface’s manufacturers does not comply to the IEEE 802 standard regarding non-unique MAC address.

NEXThink V3 Engine will uses a black, grey and white lists based on the IEEE OUI and known non-unique MAC addresses ranges as an heuristic method to determine MAC address uniqueness. This method turned out to be very robust but has failed on some rare occasion; this is why, starting from version 3.2.1, the NEXThink Engine also uses information based on the hardware when MAC addresses cannot be trusted for their uniqueness in order to ensure a proper and unique identification.

1.3. Packages

A package represents a software package installed on a machine and can be of the different types: "program" of "update". An "update" is always linked to the "program" it has patched. Packages are the items that can be observed in the "Add / Remove Programs" dialog of the Windows operating system.

1.4. Applications

An application is a set of executables bundled together by a software manufacturer to make a software product. For instance, the Firefox product is composed of the firefox.exe executable together with updater.exe and crashreporter.exe executables. Some products are composed from a lot of executables, like for instance the Microsoft Windows Operating System, other of only from one.

1.5. Executables

An executable is an executable program, which might reflect to a group of similar binaries. For instance, if three minor versions of winword.exe coexists on the same network, winword.exe is the executable program, grouping binaries version 10.0.6843, 10.0.2384 and 10.1.7853.

In order to map a new binary to the right application, the NEXThink engine compares the executable, product and company names as well as the path of the new binaries to the known binaries. If no known binary is matching, then a new product and application is created in the database.

Binaries whose resources does not contains any information about software manufacturer are mapped into an special unknown group. While it is rarely the case for well-known manufacturers, it is quite often for free software compiled with the gcc compiler.

1.6. Binaries

A binary is a specific executable which can be identified by its MD5 checksum.

A binary is tagged by a version and may be installed in more than one directory. Standard controlled binaries are usually always installed in a dedicated directory, but some executables, especially those implemented without any controlled install process, may be found in different directories. In a Windows environment, product software manufacturer’s and binary information , may be extracted from the executable resources and are used to automatically sort binaries into applications and products. In order to avoid the NEXThink collector to report inconsistent path, well known directories are mapped into logical paths.

For instance, the NEXThink collector maps C:\Program Files into %ProgramFile% to avoid that this well known directory, which is subject to localization, would be reported as C:\Program Files as well as C:\Programmes.

The NEXThink collector uses the following mapping:

  • System-wide aliases:

    • %Windows%: Windows installation directory. Ex: C:\WINDOWS\

    • %System%: Windows System directory. Ex: C:\WINDOWS\SYSTEM32\

    • %ProgramFiles%: Directory where software are usually installed. Ex.: C:\Program Files\

    • %NetDrive%: all network shares. Ex.: \\SERVER1\

    • %RemovableDrive%: non-permanent storage devices. Ex.: USB sticks or CD-Rom drives.

    • %AllProfile%: Directory containing data accessible by all users. Ex.: C:\Document and Settings\All Users\

  • User-specific alias:

    • %UserProfile%: Directory containing user-specific data. Ex.: C:\Document and Settings\johndoe\

    • %ProfileTemp%: Directory where temporary files are usually stored. Ex.: C:\Document and Settings\johndoe\Local Setting\Temps\

Notes:

  • The Engine keeps a maximum of 20 paths per binary. If more than 20 paths are reported, the newest one replaces the oldest one.
  • Drive letters (C:\, D:\, etc.) of non-aliased paths are not kept within the internal database

  • %ProfileTemp% is sometimes used as an alias for paths that look like a temporary location. Ex.: C:\a213ebf232211208abde421\

  • it is not possible to bind a specific path to another object (e.g. source, user).

1.7. Ports

A port is identified by its port number and associated used connection type i.e. UDP or TCP. There are two special NEXThink port group names:

  • multiple_tcp which represents a detected TCP port scanning. The first and last scanned ports can be found in the associated event. Note that events that are associated with a TCP port scanning are always unsuccessful connection events.

  • multiple_udp which represents an UDP port scanning. The first and last scanned ports can be found in the associated event.

1.8. Destinations

A destination is identified by its IP address. There are two special destinations:

  • external which represents Internet or more generally networks that are not under NEXThink Engine supervision.

  • multiple which represents a network scanning.

The network mask on which the network scanning took place can be found in the associated event. Events that are associated with a TCP network scanning are always unsuccessful events.

Note: Understanding NEXThink external definition: external network logical definition is deduced from the list of IP range addresses defined in Engine configuration by the Engine administrator

1.9. Installations

An installation activity is generated each time a package is installed or uninstalled on a source. As the Windows operating system is not able to signal installations / uninstallations, NEXThink Collector is polling the list of installed packages at regular intervals. If a change is detected, it creates the corresponding installation events. This explains why the installation time reported by NEXThink is not the exact time of installation but rather the time when the Collector detected that something has changed.

1.10. Executions

Execution key will return information around the effective execution of a given binary. Such as execution duration for a given program

  • Execution status stopped will reflect if the execution process is stopped during the investigation time frame

  • Execution status started will reflect if the execution process is in a running state during the investigation time frame

  • Limitations: Since execution info apply per default to all process, Finder investigation on execution key is set to always return only the top 100 most recent programs, specific investigation must therefore be refined by some associated Finder filter rule.

  • Execution can reflect binary that is being executed by the Windows operating system. Reported activities of windows kernel services are mapped to a special System binary group.

1.11. Connections

NEXThink Collector will handle two connections type:

  • tcp which represents a TCP connection
  • udp which represents a UDP connection.

In addition, there are four others special NEXTHINK connections type reflecting TCP and UDP network and port scanning.

  • If a process makes unsuccessful TCP connections to more than 50 ports on the same destination within a 30 seconds period, those connections are automatically grouped into a TCP port scanning connection type.(multiple_tcp)

  • If a process makes UDP connections to more than 50 ports on the same destination within a 30 seconds period, those connections are automatically grouped into a UDP port scanning connection type.(multiple_udp)

  • If a process makes unsuccessful TCP connections to the same port on more than 50 different destinations within a 30 seconds period, those connections are automatically grouped into a TCP network scanning destination (multiple).

  • If a process makes UDP connections to the same port on more than 50 different destinations within a 30 seconds period , those connections are grouped into a UDP network scanning destination.(multiple)

A TCP connection may have five different status:

  • established: The TCP connection has been accepted by the remote party.

  • closed: The TCP connection has been closed after been successfully established.

  • no_service: The remote party acknowledged the initial SYN message by a RST message i.e. the remote party does exist but no service is bound to the request port. Note: Most personal computers are protected by a firewall that discards RST messages to prevent effective port scanning.

  • no_host: The remote party does not acknowledge the SYN message i.e. the remote part does not exist or is protected by a firewall.

  • refused: The TCP connection was rejected by the Windows operating system itself, ie: due to a security settings.

2. Editing object properties

Most of NEXThink objects are defined by their collected properties such as their name, and company name for an application. These properties can be altered using object Edit capabilities. To Edit an object property, on a Finder result list select an object then right click to select Edit ( see Tag Objects for more information)

last modified 2010-02-25 10:50:06